class afs::pam inherits afs {
  if $enablepam {
    package{"pam_afs_session":
      ensure  => installed,
      require => Yumrepo['site']
    }

  if $facts['os']['release']['major'] > '7' {  # for alma8,9
    file {"/etc/krb5.conf":
      owner   => root,
      group   => root,
      mode    => '0644',
      source  => "puppet:///modules/afs/krb5-alma9.conf",
    }
    file {"/etc/pam.d/password-auth":
            owner   => root,
            group   => root,
            mode    => '0644',
            source  => "puppet:///modules/afs/system-auth-ac-9"
    }
    file {"/etc/pam.d/system-auth":
            owner   => root,
            group   => root,
            mode    => '0644',
            source  => "puppet:///modules/afs/system-auth-ac-9"
    }
    file {"/etc/pam.d/sshd":
            owner   => root,
            group   => root,
            mode    => '0644',
            source  => "puppet:///modules/afs/sshd-9",
            require  => Package["pam_afs_session"]
    }

  }
  else {   # for el7
    file {"/etc/krb5.conf":
      owner   => root,
      group   => root,
      mode    => '0644',
      source  => "puppet:///modules/afs/krb5-alma9.conf",
    }
    #exec { 'enable krb5':
    #  command => '/usr/sbin/authconfig --enablekrb5 --update',
    #  timeout => 30,
    #  unless  => '/bin/grep -qc krb /etc/pam.d/*'
    #}->

    file {"/etc/pam.d/password-auth-ac":
            owner   => root,
            group   => root,
            mode    => '0644',
            source  => "puppet:///modules/afs/system-auth-ac-7"
    }
    file {"/etc/pam.d/system-auth-ac":
            owner   => root,
            group   => root,
            mode    => '0644',
            source  => "puppet:///modules/afs/system-auth-ac-7"
    }
    file {"/etc/pam.d/crond":
            owner   => root,
            group   => root,
            mode    => '0644',
            source  => "puppet:///modules/afs/crond"
    }
    #file {"/usr/lib64/security/pam_krb5.so":
    #        owner   => root,
    #        group   => root,
    #        mode    => '0644',
    #        source  => "puppet:///modules/afs/pam_krb5.so"
    #}
    file {"/etc/pam.d/sshd":
            owner   => root,
            group   => root,
            mode    => '0644',
            source  => "puppet:///modules/afs/sshd",
            require  => Package["pam_afs_session"]
    }


  } # end if else


    if $enable_keytab{
      file {"/etc/krb5.keytab":
        owner   => root,
        group   => root,
        mode    => '0400',
        source  => "puppet:///modules/afs/krb5.keytab",
      } ->
      ssh_config { 'GSSAPIDelegateCredentials':
        ensure => 'present',
        value  => "yes",
      } ->
      sshd_config { 'GSSAPIAuthentication':
        ensure => 'present',
        value  => "yes",
        notify => Service['sshd'],
      }
    } # end enable keytab

    sshd_config { 'KerberosAuthentication':
      ensure => present,
      value  => "yes",
      notify => Service['sshd'],
    }

  } # end enable pam
}
